429cf85f87
The gosu 1.19 binary bundled in the postgres base image was compiled with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH severity Go stdlib vulnerabilities. Since upstream gosu has not released a version built with patched Go (1.24.13+ / 1.25.7+), this adds a multi-stage Docker build that recompiles gosu from source using Go 1.26. Changes: - Pin postgres base image to 17.7-alpine3.22 for reproducibility - Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19 - Replace bundled gosu binary with freshly built version - Pin all postgres:17-alpine references across compose files and CI CVEs fixed: - CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability - CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation - CVE-2025-61726 (HIGH): Go net/url memory exhaustion - CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion - CVE-2025-61729 (HIGH): Go crypto/x509 DoS - CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability Fixes #363 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
18 KiB
18 KiB